Security-PGP

2

PGP Security

This extension adds PGP security on endpoint communication. With PGP

you can achieve end-to-end security communication with signed and

encrypted messages between parties.

3

Requirements

Policy Files

If you are running JDK 1.4+ that comes with the Sun JCE by default, you must install the Unlimited Strength Jurisdiction Policy files, which can be downloaded from the following URL (note that they are listed entirely at the bottom of the page, in the Other Downloads section):

JDK 1.4JDK 5JDK 6

These files must be installed in $JAVA_HOME$/jre/lib/security

4

According to Sun, the default distribution of the JCE allows "strong, but limited strength cryptography." This means that you cannot use RSA keys bigger than 2048 bits and no symmetric ciphers that use more than 128 bits. ElGamal is not allowed at all, thus DH/DSS cannot be used for encryption.

5

Encrypting and Decrypting

To encrypt and decrypt messages you need to configure the following elements:

A security manager: responsible of holding a security provider, which contains the key rings, and the encryption strategy to be used. This allows for the encryption of all messages using the same key or to facilitate the use of different key rings.

A key manager: which is responsible for reading the key rings.A credential accessor: which determines the key ring and key manager to be used to encrypt/decrypt the message being processed.

6

Example

<spring:beans><spring:bean id="pgpKeyManager" class="org.mule.module.pgp.PGPKeyRingImpl"

init-method="initialise"><spring:property name="publicKeyRingFileName" value="pubring.gpg"/><spring:property name="secretKeyRingFileName" value="secring.gpg"/><spring:property name="secretAliasId" value="$

{public.KeyId.LongValue}"/> <spring:property name="secretPassphrase" value="${secret.Passphrase}"/>

</spring:bean>

<spring:bean id="credentialAccessor" class="com.somecompany.apps.AppCredentialAccessor"> <spring:property name="credentials" value="John Smith (TestingKey) &lt;john.smith@somecompany.com&gt;"/> </spring:bean></spring:beans>

7

<pgp:security-manager><pgp:security-provider name="pgpSecurityProvider" keyManager-ref="pgpKeyManager"/>

<pgp:keybased-encryption-strategy name="keyBasedEncryptionStrategy" keyManager-ref="pgpKeyManager" credentialsAccessor-ref="credentialAccessor"/>

</pgp:security-manager>

8

The pgpKeyManager (in the spring:beans tag) is the one responsible for reading the rings. You have to set all the parameters: public and secret rings, the alias id (the long value in the ring) and the secret passphrase. In the same section, you can see the credentials accessor which needs to implement the CredentialsAccessor interface basically returning the key id based on the message (MuleEvent). Finally the pgp:security-manager glues both beans.

9

You are ready to encrypt and decrypt messages in your flows. The following two flows show how to use the encrypt-transformer and decrypt-transformer to encrypt and decrypt files.

10

<flow name="processEncryptFiles"><file:inbound-endpoint connector-ref="inputEncrypt"

path="file:///temp/fileInput" moveToDirectory="file:///temp/fileInputBackup"moveToPattern="#[header:originalFilename].backup" transformer-

refs="file2Bytes" />

<encrypt-transformer name="pgpEncrypt"strategy-ref="keyBasedEncryptionStrategy" />

<file:outbound-endpoint connector-ref="output"path="file:///temp/fileOutput" outputPattern="#[function:datestamp]-

#[header:originalFilename]" /></flow>

<flow name="processDecryptFiles"><file:inbound-endpoint connector-ref="inputDecrypt"

path="file:///temp/fileOutput" moveToDirectory="file:///temp/fileOutputEncrypted"moveToPattern="#[header:originalFilename].backup" transformer-

refs="file2Bytes" />

<decrypt-transformer name="pgpDecrypt"strategy-ref="keyBasedEncryptionStrategy" />

<file:outbound-endpoint connector-ref="output"path="file:///temp/fileOutputDecrypted" outputPattern="#[function:datestamp]-

#[header:originalFilename]" /></flow>